Privacy Policy
Introduction
The General Data Protection Regulations (GDPR) came into effect on 25 May 2018. Under the terms of GDPR, not only do organisations have to ensure that personal data is gathered legally and under strict conditions, but those who collect and manage it are obliged to protect it from misuse and exploitation, as well as to respect the rights of data. GDPR requires that personal data shall be: — processed lawfully, fairly and transparently — collected only for specific, explicit and legitimate reasons and not then used for any other purpose — adequate, relevant and limited to the explicit purpose — accurate and kept up-to-date — restricted in terms of the identification of individuals for only as long as necessary for the explicit purpose — processed in a way that ensures security against unauthorised or unlawful processing, disclosure, loss, destruction or damage.
Who we are
WorkWild is a social enterprise consultancy. We work with our clients to unlock assets for community purpose and the research, consultation, business and impact planning, policy and funding that supports asset-based regeneration. We work with regional and local authority clients, private sector and third sector organisations across the UK.
What personal data we hold and why we collect it
Personal data is often collected as part of community engagement or research projects. At the point of data collection, a Privacy Note will be presented to ensure that data subjects are aware of the lawful basis for the collection and processing of the data, who the data will be shared with (where applicable), and their rights concerning the data being collected. Data subjects are required to confirm that they consent to their personal data being used for the purpose that has been stated. Copies of the paperwork relating to this active informed consent are stored securely within the relevant project folder on our drive, and are available for audit if required. Where relevant we will also provide the option to opt-in to be kept up-to-date with meetings and progress on the project, as well as any related events in the future. The GDPR sets the age when a child can give their own consent to data processing at sixteen. We will never collect personal data from children under the age of sixteen unless consent has been provided from a person holding parental responsibility. Privacy by design and default Data protection and privacy issues are considered upfront in every situation relating to personal data. We ensure that privacy and data protection is a key consideration in the early stages of any project, and then throughout its lifecycle to ensure compliance with GDPR.
How we process personal data
How personal data is processed varies from project to project and will be clearly specified within the Privacy Note at the point of data collection. Records of personal data processing activities are recorded in the relevant project folder on our server.
What we do to protect personal data
WorkWild will comply with Article 32 of the GDPR, which refers to the security of processing of personal data. The level of security of data storage is assessed on a project-by-project basis and is appropriate to the risks presented by processing the data including the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of or access to personal data transmitted, stored or otherwise processed. All data held by WorkWild is stored securely and electronically on our company drive, which is password-protected as well as being backed up regularly to reduce the risk of data loss and ensure the timely restoration of access to the data in the event of a technical incident. All WorkWild employees have signed our internal Privacy Policy to confirm they understand their obligations under the GDPR concerning the confidentiality of personal data that they may come into contact with.
Who personal data may be shared with
Personal data will only ever be shared with organisations specified in the Privacy Note presented at the point of data collection, for example the council or local authority for whom we are processing the data. Personal data will never be passed onto any third party or used in any other way outside of that which has been specified. Findings resulting from the data we have processed will only be shared publicly in aggregate with specific data points anonymised. How long we keep personal data In accordance with Article 5 of the GDPR, personal data will be kept for no longer than is necessary for the purpose for which it is being processed. Unless otherwise specified by the Data Controller, personal data relating to community engagement projects will be deleted or anonymised twelve months after the completion of the project. Contact information that we may use for marketing purposes (to keep individuals or organisations informed about projects we are working on or to invite them to events we are hosting) will be kept securely on our drive until such time as we are notified that they no longer wish us to retain this information.
Rights of data subjects
Data subjects can request access to their personal information, request for inaccurate data to be corrected or updated, or request that the data is deleted. If consent has been given for information to be retained for marketing purposes or in order for an individual to be kept up-to-date with meetings and progress on a particular project, consent may be withdrawn at any time. Data access or erasure requests, or any queries relating our privacy practices, can be made by contacting [email protected]. If an individual wishes to raise a complaint on how we have handled their personal data, they can contact us and we will investigate the matter. If they are not satisfied with our response or believe we are processing their personal data in a manner that is not in accordance with the law, they can complain to the Information Commissioner’s Office (ICO). Evaluation The facilities and measures in place to ensure compliance with the GDPR are regularly tested, assessed and evaluated.
GDPR and Brexit
The UK left the EU on 31 January 2020, but although the EU GDPR no longer applies directly in the UK, organisations must continue to comply with its requirements as the Data Protection Act 2018 enacts the EU GDPR’s requirements in UK law. The UK government has issued the Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019 which amends the Data Protection Act 2018 and merges it with the requirements of the EU GDPR to form a data protection regime that works in a UK context post-Brexit. This new regime is known as ‘UK GDPR’. As there is very little material difference between the EU GDPR and the UK GDPR, organisations that process personal data must continue to comply with the requirements of the EU GDPR.
Contacting us
Any queries regarding the information we hold or our privacy practices, can be made by contacting us at [email protected].